Tower Records Settles FTC Charges

MTS, Inc., and Tower Direct, LLC, (“Tower”) have agreed to settle Federal Trade Commission charges that a security flaw in the Tower Web site exposed customers’ personal information to other Internet users, in violation of Tower’s privacy policy representations and federal law. The settlement will bar misrepresentations in the future, require Tower to implement an appropriate security program, and require audits of its Web site security every two years by a qualified third-party security professional for ten years.

The FTC alleges that, at the www.TowerRecords.com site, Tower’s privacy policy made claims such as “We use state-of-the-art technology to safeguard your personal information,” and “Your TowerRecords.com Account information is password-protected. You and only you have access to this information.” When Tower redesigned its site, however, it introduced a security vulnerability that allowed Web users to access Tower’s order history records and view certain personal information about other Tower customers, such as their names, billing and shipping address, e-mail addresses, phone numbers, and their past Tower purchases.

The FTC complaint charges that the security flaw was easy to prevent and fix, but that Tower failed to implement appropriate checks and controls in the process of writing and revising its Web applications; adopt and implement policies and procedures to test the security of its Web site; and provide appropriate training and oversight for its employees. It charges that Tower’s privacy policy assurances were therefore false and violated the FTC Act.

This is the agency’s fourth case targeting companies that misrepresent the security of consumers’ personal information. “In a fast moving world of electronic commerce, change is inevitable,” said Howard Beales, Director of the FTC’s Bureau of Consumer Protection. “Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities. Just as consumers remodeling their homes would make sure that the doors still have locks, companies should make sure that sensitive data is still protected.”

The settlement bars Tower from misrepresenting the extent to which it maintains and protects the privacy, confidentiality, or security of personal information collected from or about consumers. It also requires that Tower establish and maintain a comprehensive information security program. In addition, the company must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within six months, and every other year thereafter for a period of ten years. The settlement also contains record-keeping provisions to allow the FTC to monitor compliance.

The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 21, 2004, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: A consent agreement is for settlement purposes only and does not constitute an admission of a law violation. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $11,000.

Copies of the complaint and consent agreement are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.